Skip to main content

Philips Releases Vue PACS Security Advisory

Thirteen vulnerabilities have been found in Philips image-management platform

Threat ID:
CC-4529
Threat Severity:
Low
Published:
19 July 2024 4:06 PM
Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Thirteen vulnerabilities have been found in Philips image-management platform

Affected platforms

The following platforms are known to be affected:

Versions: all prior to 12.2.8.410

Philips Vue Picture Archiving and Communication System (PACS)

Threat details

Introduction

Philips has released a security advisory that addresses 13 vulnerabilities in the Philips Vue Picture Archiving and Communication System (PACS) image-management platform. Successful exploitation of these vulnerabilities could allow an unauthorised attacker to eavesdrop, view or modify data, gain system access, perform code execution, install unauthorised software, or affect system data integrity to negatively impact system confidentiality, integrity, or availability.

Philips has not received any reports of patient harm, exploitation of these issues, or incidents from clinical use.

Vulnerability details

  • CVE-2020-36518 - CWE-787 - Out-of-bounds write

A third-party product component writes data past the end, or before the beginning, of the intended buffer.  A CVSS v4 score of 7.1 has been calculated.

  • CVE-2020-11113 - CWE-502 - Deserialisation of untrusted data

A third-party product component deserialises untrusted data without sufficiently verifying that the resulting data will be valid. A CVSS v4 score of 7.1 has been calculated.

  • CVE-2020-35728 - CWE-502 - Deserialisation of untrusted data

A third-party product component deserialises untrusted data without sufficiently verifying that the resulting data will be valid. A CVSS v4 score of 9.3 has been calculated

  • CVE-2021-20190 - CWE-502 - Deserialisation of untrusted data

A third-party product component deserialises untrusted data without sufficiently verifying that the resulting data will be valid. A CVSS v4 score of 9.3 has been calculated.

  • CVE-2020-14061 - CWE-502 - Deserialisation of untrusted data

A third-party product component deserialises untrusted data without sufficiently verifying that the resulting data will be valid. A CVSS v4 score of 9.3 has been calculated.

  • CVE-2020-10673CWE-502 - Deserialisation of untrusted data

A third-party product component deserialises untrusted data without sufficiently verifying that the resulting data will be valid. A CVSS v4 score of 8.7 has been calculated.

  • CVE-2019-12814CWE-502 - Deserialisation of untrusted data

A third-party product component deserialises untrusted data without sufficiently verifying that the resulting data will be valid. A CVSS v4 score of 8.7 has been calculated.

  • CVE-2017-17485 - CWE-502- Deserialisation of untrusted data

A third-party product component deserialises untrusted data without sufficiently verifying that the resulting data will be valid. A CVSS v4 score of 9.3 has been calculated.

  • CVE-2021-28165 - CWE-400 - Uncontrolled resource consumption

A third-party product component does not properly control the allocation and maintenance of CPU use upon receiving a large invalid packet frame. A CVSS v4 of 8.8 has been calculated.

  • CVE-2023-40223 - CWE-269 - Improper privilege management

Philips Vue PACS does not properly assign, modify, track, or check actor privileges, creating an unintended sphere of control for that actor. A CVSS v4 score of 4.8 has been calculated.

  • CVE-2023-40704 - CWE-1392 - Use of default credentials

Philips Vue PACS uses default credentials for potentially critical functionality. A CVSS v4 score of 8.4 has been calculated.

  • CVE-2023-40539 - CWE-521 - Weak password requirements

Philips Vue PACS does not require that users have strong passwords, which could make it easier for attackers to compromise user accounts. A CVSS v4 score of 4.8 has been calculated.

  • CVE-2023-40159 - CWE-200 - Exposure of sensitive information to an unauthorised actor

A validated user not explicitly authorised to have access to certain sensitive information could access Philips Vue PACS on the same network to expose that information. A CVSS v4 score of 8.8 has been calculated.

Remediation advice

Affected organisations are encouraged to review the US Cybersecurity and Infrastructure Security Agency's (CISA) Medical Advisory ICSMA-24-200-01 and 'Philips VuePACS (2024-July-18)' on Philips Security Advisories page.

For managed services customers, Philips states that new releases will be made available upon resource availability. Releases are subject to country specific regulations. Affected organisations with questions regarding their specific Philips Vue PACS installations and new release eligibility should contact their local Philips Sales representative or submit a request in the Philips Informatics Support portal.

In addition, CISA recommends users take defensive measures to minimise the risk of exploitation of these vulnerabilities, such as:

  • Minimise network exposure for all control system devices and/or systems, ensuring they are not accessible from the internet.
  • Locate control system networks and remote devices behind firewalls and isolating them from business networks.
  • When remote access is required, use more secure methods, such as virtual private networks (VPNs), recognising VPNs may have vulnerabilities and should be updated to the most current version available. Also recognise VPN is only as secure as the connected devices.

Remediation steps

Type Step
Guidance

For the following vulnerabilities, Philips recommends upgrading to the latest Vue PACS version 12.2.8.400 released in August 2023.

  • CVE-2020-36518
  • CVE-2020-11113
  • CVE-2020-35728
  • CVE-2021-20190
  • CVE-2020-14061
  • CVE-2020-10673
  • CVE-2019-12814
  • CVE-2017-17485
  • CVE-2023-40223
  • CVE-2023-40159
Guidance

For the following vulnerabiliity, Philips recommends configuring the Vue PACS environment per 'D000763414 –Vue_PACS_12_Ports_Protocols_Services_Guide' available on Incenter. Philips also recommends upgrading to the Vue PACS version 12.2.8.410 released in October 2023.

  • CVE-2021-28165
Guidance

For the following vulnerabilities, Philips recommends configuring the Vue PACS environment per '8G7607 – Vue PACS User Guide Rev G' available on Incenter.

  • CVE-2023-40704
  • CVE-2023-40539

CVE Vulnerabilities

Status Published

CVE-2020-36518

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Status Published

CVE-2020-11113

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
Status Published

CVE-2020-35728

FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).
Status Published

CVE-2021-20190

A flaw was found in jackson-databind before 2.9.10.7. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
Status Published

CVE-2020-14061

FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).
Status Published

CVE-2020-10673

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.caucho.config.types.ResourceRef (aka caucho-quercus).
Status Published

CVE-2019-12814

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
Status Published

CVE-2017-17485

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
Status Published

CVE-2021-28165

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
Status Published

CVE-2023-40223

Philips Vue PACS does not properly assign, modify, track, or check actor privileges, creating an unintended sphere of control for that actor.
Status Published

CVE-2023-40704

Philips Vue PACS uses default credentials for potentially critical functionality.
Status Published

CVE-2023-40539

Philips Vue PACS does not require that users have strong passwords, which could make it easier for attackers to compromise user accounts.
Status Published

CVE-2023-40159

A validated user not explicitly authorized to have access to certain sensitive information could access Philips Vue PACS on the same network to expose that information.

Last edited: 19 July 2024 4:07 pm